Dear all,i need help in configuring SRX320 (15.1X49-D150) filter base forwarding with Nat on routing instance.I have ISP1-via pp0.0 and ISP2- via ge-0/0/1(184.108.40.206) which connected to ADSL modem(220.127.116.11).All port forwarding on the adsl modem goes to Ge-0/0/1 of the srx.i need ip address(10.78.1.250) in the turst zone(Ge-0/0/2) to use directly ISP2.Things goes well with the below commands in addition to to need policy and source nat from Trust to ISP2 for 10.78.1.250 using egress interface.set interfaces ge-0/0/2 unit 0 family inet filter input webFilterset firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32set firewall family inet filter webFilter term 1 then routing-instance webtrafficset firewall family inet filter webFilter term 2 then acceptset routing-instances webtraffic instance-type forwardingset routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 18.104.22.168set routing-options interface-routes rib-group inet FBF-ribset routing-options rib-groups FBF-rib import-rib inet.0set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0Above makes the ip address 10.78.1.250 successfully to use only ISP2.Now i need Nat(port forwarding) from Internet to this ip address (10.78.1.250)i make static nat also Destination nat from ISP2 zone or interface (Ge-0/0/1) then destination IP of Ge-0/0/2-(22.214.171.124) to internal prefix ip (10.78.1.250).it doesnt work.How can i make nat to work as explained above????
Please share your NAT configuration which is not working
Hi and thanks for your replay,
Please find below for the expained scenario:
We have all Trust users goes internet via ISP1(pp0.0) except one ip (10.78.1.250) must go via ISP2 (ge-0/0/1 connected to ADSL modem).
This done successfully using Filter Base forwarding as below- using forwarding instance-type.
set interfaces ge-0/0/2 unit 0 family inet filter input webFilter (ge-0/0/2=10.78.1.1=Trust)
set firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32
set firewall family inet filter webFilter term 1 then routing-instance webtraffic
set firewall family inet filter webFilter term 2 then accept
set routing-instances webtraffic instance-type forwarding
set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 126.96.36.199 (adsl modem)
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options interface-routes rib-group inet FBF-rib
set routing-options rib-groups FBF-rib import-rib inet.0
set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0
set security nat source rule-set FB from zone Trust
set security nat source rule-set FB to zone ISP2
set security nat source rule-set FB rule R1 match source-address 10.78.1.250/32
set security nat source rule-set FB rule R1 match destination-address 0.0.0.0/0
set security nat source rule-set FB rule R1 then source-nat interface
The same ip (10.78.1.250) configured with static nat to allow traffic to it from ISP2.
Traffic comes to ADSL modem-->nat to SRX Ge-0/0/1(ISP2 zone). Static nat is configured from ISP2 zone then destination IP of Ge-0/0/1-(188.8.131.52) to internal prefix ip (10.78.1.250).
What needs to be modified to make the static nat works fine as below doesn’t work-(Needed Security policies configured too omitted)
set security nat static rule-set FB1 from zone ISP2
set security nat static rule-set FB1 rule ru1 match destination-address 184.108.40.206/32 (srx-ge-0/0/1port)
set security nat static rule-set FB1 rule ru1 match destination-port 134
set security nat static rule-set FB1 rule ru1 then static-nat prefix 10.78.1.250/32
set security nat static rule-set FB1 rule ru1 then static-nat prefix mapped-port 134
I tried also to configure the routing instance type as virtual router, also do the static nat from instance route instead of ISP2 zone but not worthy.
Can the instance-type configured as virtual-router and add to it the ISP2 port (ge-0/0/1) and static nat?? Without adding the Trust interface (ge-0/0/2)????
Thanks and Regard,
I see that the address used for the server is not the same as the interface address but is in the same subnet.
220.127.116.11-- nat address
Is proxy arp enabled for the nat address on the SRX interface?
This is needed for this situation.
If it is already on, when you make the connection attempt can you look at the sesssion table at the same time to see which policy and nat action is take by the SRX. Use the public source address your inbound connection attempt is coming from to see how the SRX matches the traffic.
show security flow session source-prefix x.x.x.x
thanks for replay. i dont see in my post that there is an ip address 18.104.22.168.
However, the nat address and the interface ip address ge-0/0/1 are the same= 22.214.171.124. So am not using a proxy arp.
Is there any other sugession to solve my issue??
If the nat address is the same as the interface then proxy arp is not needed.
Please do run the session viewer to see what policy your inbound connection attempts are hitting. This will also show the nat rules that are engaged. If they are hitting the incorrect policy or nat rule we will see which one and can look at the policy details and ordering to adjust and move policies to have the desired effect.
If no session is created than the policies are not correct so they we will need to see the whole policy stack to determine why.
Your configuration looks good and the static nat should work. Are you sure that the traffic is hitting srx?
Please enable flow traceoption and initiate traffic to see where the packet is getting dropped
1. Enable flow trace:
set security flow traceoptions file FLOW.log size 10m
set security flow traceoptions flag packet-drops
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter p1 source-prefix <ip address of the outside PC from where traffic is initiated>
set security flow traceoptions packet-filter p2 destination-prefix <ip address of the outside PC from where traffic is initiated>
2. Initiate traffic from outside (ISP2)
3. Remove flow trace options
delete security flow traceoptions
4. Analyze the FLOW.log or share with us
show log FLOW.log | match "p|permit|drop|policy"
it works after adding the routing instance to the static nat and also add the routing instance to the interface connected to ISP2.